Commit 7b55279d authored by Ludwig Nussel's avatar Ludwig Nussel Committed by Daniel Stenberg
Browse files

configure: --with-ca-fallback: use built-in TLS CA fallback 

When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569
parent 113f04e6

acinclude.m4

+18 −0
Original line number Diff line number Diff line
@@ -2665,6 +2665,24 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), 
  if test "x$ca" = "xno" && test "x$capath" = "xno"; then

    AC_MSG_RESULT([no])

  fi



  AC_MSG_CHECKING([whether to use builtin CA store of SSL library])

  AC_ARG_WITH(ca-fallback,

AC_HELP_STRING([--with-ca-fallback], [Use the built in CA store of the SSL library])

AC_HELP_STRING([--without-ca-fallback], [Don't use the built in CA store of the SSL library]),

  [

    if test "x$with_ca_fallback" != "xyes" -a "x$with_ca_fallback" != "xno"; then

      AC_MSG_ERROR([--with-ca-fallback only allows yes or no as parameter])

    fi

  ],

  [ with_ca_fallback="no"])

  AC_MSG_RESULT([$with_ca_fallback])

  if test "x$with_ca_fallback" = "xyes"; then

    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1"; then

      AC_MSG_ERROR([--with-ca-fallback only works with OpenSSL or GnuTLS])

    fi

    AC_DEFINE_UNQUOTED(CURL_CA_FALLBACK, 1, [define "1" to use built in CA store of SSL library ])

  fi

])

configure.ac

+1 −0
Original line number Diff line number Diff line
@@ -3895,6 +3895,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl: 
  SSPI support:     ${curl_sspi_msg}

  ca cert bundle:   ${ca}

  ca cert path:     ${capath}

  ca fallback:      ${with_ca_fallback}

  LDAP support:     ${curl_ldap_msg}

  LDAPS support:    ${curl_ldaps_msg}

  RTSP support:     ${curl_rtsp_msg}

lib/vtls/gtls.c

+9 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn, 
  }

#endif



#ifdef CURL_CA_FALLBACK

  /* use system ca certificate store as fallback */

  if(data->set.ssl.verifypeer &&

     !(data->set.ssl.CAfile || data->set.ssl.CApath)) {

    gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);

  }

#endif



  if(data->set.ssl.CRLfile) {

    /* set the CRL list file */

    rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,

lib/vtls/openssl.c

+7 −0
Original line number Diff line number Diff line
@@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
          data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:

          "none");

  }

#ifdef CURL_CA_FALLBACK

  else if(data->set.ssl.verifypeer) {

    /* verfying the peer without any CA certificates won't

       work so use openssl's built in default as fallback */

    SSL_CTX_set_default_verify_paths(connssl->ctx);

  }

#endif



  if(data->set.str[STRING_SSL_CRLFILE]) {

    /* tell SSL where to find CRL file that is used to check certificate